Medical device risk management hinges on strong processes

Establish an inventory of medical devices

McDonald said medical device risk management should start with an inventory of the organization's medical devices.

Kevin McDonald

"You can't protect what you don't know about," McDonald said at the Radiological Society of North America's annual meeting.

As such, McDonald said establishing a relationship between the health technology management and IT departments is critical. Together, they should gather as much medical device information as possible for the inventory such as the current operating system information and software security.

"As much information as you can gather upfront you should," he said.

Another thing to consider: A large portion of medical devices, particularly in imaging, come connected to other devices such as a computer monitor. Because of that kind of connectivity, McDonald suggested healthcare CIOs see a medical device not as a stand-alone piece of equipment but as a family with connections or relations. In other words, the challenge for CIOs isn't to just secure the medical device itself. They'll also have to secure the flow of data from one connected device to another.

Keeping current is another key part of the inventory process, McDonald said. He recommends that CIOs implement a centralized purchasing process and establish network access control systems in an effort to keep compromised devices off the healthcare organization's network.

Create a medical device program

McDonald suggested that healthcare CIOs institute a medical device program, which can bring focus to the inherent risks posed by connected medical devices.

You can't protect what you don't know about.

"Your goal is not to keep devices off your network that have poor cybersecurity," McDonald said. "Your goal is to make sure that you provide the best patient care in the safest manner you can and that the decisions you make are transparent and the decisions are made at the right level and the risk is known to everybody."  

To start, McDonald said organizations need to set goals for the program. They should include identifying vulnerabilities and risks to technologies and patients. Once vulnerabilities and risks are identified, he suggested that CIOs establish processes on how to mitigate vulnerabilities.

The medical device program should incorporate security standards, ideally from a standards body vendors are familiar with such as the Healthcare Sector Coordinating Council plan or the Cybersecurity Act of 2015, Section 405(d).

"Pick [a set of standards] and follow it," McDonald said. "You'll have to go through and see which one is most applicable and which one speaks best to your institution. And you'll need to turn these into something you can measure and test against."

McDonald recommended healthcare organization's keep standards concise and focused on risk. The standards can also function as a template to review the program, to determine a level of risk and to create questions for vendors.

Having an intake process for evaluating new devices is an integral part of medical device risk management, which should include prioritizing new devices as they come into the organization, McDonald said. CIOs will have to determine what medical devices pose the highest risk to patients and to the organization's workflow. To do so, he recommended they assess the medical device's operating system components, access passwords and ascertain if the medical device adheres to security standards.

More medical device risk management steps

Establishing an inventory, as well as a medical device program, is key, but McDonald stressed that CIOs will have to find ways to monitor and maintain the security strategy.

For example, McDonald said it's important to measure individual device and device fleet risk because it allows CIOs to look at the overall enterprise and determine if a particular device or multiple devices pose the most risk to an institution.

"Do we want to go after one exotic device or go after 1,000 ultrasound machines to lower the overall risk of the institution," he said.

Developing internal and external partnerships can also help provide a way to maintain security over the lifetime of the device. Partnerships with external organizations such as the U.S. Food and Drug Administration, vendors, standards bodies and peer health organizations can keep CIOs up to date on security measures. Internal partnerships with clinical and IT departments, as well as supply chain management, can help keep internal devices current.

McDonald advised CIOs to integrate medical devices into the organization's enterprise security program and highlighted the importance of establishing the right clinically lead governance program to make sure decisions regarding security and risk are made by "somebody in the institution who has been deemed the person to accept institutional risk," he said.

Governance can take different forms depending on how the organization is managed, McDonald said. At Mayo Clinic, employees from across the organization participate in establishing appropriate security standards and processes, as well as deciding what devices to purchase and what risks to take on.

Finally, it's important to know FDA guidance and hold vendors accountable to meet those standards. McDonald called this a crucial part of medical device risk management.

"This is a journey, so immediate attention is needed. But you need to do it with an ongoing, steady progress," McDonald said. "The motto we live by, we like to make sure we have visibility, transparency and the moral high ground. The right people need to see the issues, all the risks, benefits need to be there, and we need to make sure that we do the right thing both by the patients and by the institution."